Anyone who has ever negotiated a merger or acquisition knows what Verizon just demonstrated when it asked Yahoo for a billion dollars off their $4.8 billion deal. It's an object lesson in why regular penetration testing is crucial.
Penetration testing, or pen testing as it is often called, is a regular information security drill, or protocol, where white hat hackers (aka engineers) try to compromise a computer system, network or any application used by an enterprise in order to identify vulnerabilities and keep hackers out.
Why It Matters
Believe it or not, it could be a matter of national security.
The wildest scenarios would be at home in the Jason Bourne chronicles. An untouchable state-sponsored hacker hired by a government hostile to American interests at home and-or abroad drills into a massive database; the target: one guy. The goal: find anything that will make that guy easier to find and (presumably) kill.
In this scenario, purely fictional, we find state-sponsored hackers doing the information equivalent of what your friendly neighborhood burglar does when ripping apart a house to find hidden valuables. The ransacking is general, and messy. The job: steal any and all information stored on the compromised server in the hope that the target's information is somewhere in there.
The logic behind this kind of smash and grab: The target is most likely insured by a major health insurer (so hack them) and has been a patient at a particular hospital (hack them, too); he or she uses a bank (hack it) and has a 401K as well as other investments (time to go phishing!), he or she has traveled with this or that airline (hack them), made purchases from an online retail site (ditto), maintained and used a personal email account with a major provider (see: Yahoo hack), drives a car, has credit cards. The list is endless.
Chances are very good that your company collects and stores information that might be deemed of interest to this hypothetical hacker.
What are you doing to protect it?
Now Back to Planet Earth
Yes, the above represents an outlier reason to keep your data safe. The main reasons are closer to home: theft of sensitive data and associated costs and malware that takes control of your data and systems in order to extort money.
The average cost for each lost or stolen record this year is $158, and the average consolidated cost of a breach was $4 million.
Ransomware, or course, goes straight to the bottom line. The FBI said in April that 2016 was on pace to see one billion dollars extorted by cyber criminals.
The first three months of this year alone saw $209 million (in contrast to some $24 million in the first quarter of 2015) paid out to data kidnappers.
While the average cost of these attacks is obfuscated by the fact that many victims don't report incidents, an anecdotal industry average is between $100 and $2000 per ransomware attack, though much more has been shelled out.
The first line of defense is hiring a Chief Information Security Officer, or, if your company can't afford a full time CISO, finding a reputable vendor that can provide a secure environment for the data you collect and store and designating a security professional in your organization to stay on top of them.
The fewer employees with access to that data, the better. If it is not information that needs to be accessed daily, it should not be easy to get. You might want to consider taking seldom accessed sensitive data offline, or "air gap" the network used to access sensitive data and limit the users who are credentialed to get on that network. Multi-factor authentication is a must, as is encryption, as is intensive, continuous employee training.
This is not DIY. Your IT department cannot handle this responsibility alone. Ideally, cyber security has stakeholders in human resources, legal, and the C-suite.
At the end of the day, investing in whether or not you get hacked, and what the hackers succeed in stealing when you are compromised (and you should assume that you will be), can be an extinction-level business decision, and for that reason you should do everything in your power to gird your defenses.
In addition to securing files and making sure no one can take you out with ransomware or any other form of compromise, you need to get into the habit of hacking yourself, or paying someone else to do it.
While it is true that customer loyalty is generally not permanently affected by news of a hack--it's considered a fact of life now--it is an issue at the enterprise level.
It should be no shocker that Verizon has asked for a discount. While I wasn't privy to the contract and have no idea what representations Yahoo made regarding the state of its cyber defenses, to say the situation is inauspicious doesn't quite do it justice.
As we wait for a precedent to be set, Yahoo for sure finds itself in a less than awesome position to negotiate.
Could they have avoided this? Hard to say. It seems unlikely that Yahoo did not have a security program in place that included extensive penetration testing, but there's no way to know for sure. One thing we do know is that attacks are more certain than ever, and you need to do everything you can to be ready for them.